Solved

Is a Windows 2003 Terminal Service session secure without a VPN connection?

Posted on 2007-11-23
2
442 Views
Last Modified: 2013-11-21
I need to connect two small offices over basic cable broadband connections.  The staff in office A will have a Windows 2003 Server w/ Terminal Services to host a series of applications and files.  The staff in office B will log in via terminal services to their accounts and use the applications/files.  

Is the terminal service connection (from login to logout) secure so that a VPN connection is not needed?  Are there any printing gotchas/concerns over terminal services which I should prepare for?

Other details:
- offices will merge to one single office space in one year (this office to office connection is temporary)
- at times staff may log into terminal service session from home
- both offices currently only have basic cable broadband internet access
- all printing will be local to the office where the user is located (users in office B will need to be able to printers local to the office B network; users in office B will not need to print to office A printers)
- offices are not in line of sight and are 10 miles apart
0
Comment
Question by:dandacci
2 Comments
 
LVL 31

Accepted Solution

by:
Cláudio Rodrigues earned 500 total points
ID: 20341758
This is a question that people will debate all over and have different opinions on the answer. Here you have my own (and I know some here will probably bash me...).
RDP by itself is encrypted. The thing is, due to the way Microsoft implemented the encryption keys, it is subject to man in the middle attacks.
The thing is, all these years working with TS I am still to see one single customer that had a TS hacked when exposed to the internet. Not a single one.
So, do I think a VPN is needed? No.
You can implement, if you are paranoid, SecureRDP on the TS (freeware from 2X.com, that we developed before they acquired my company, Terminal-Services.NET) and customize the RDP client to have your own, unique version number and filter by that. Check this article I wrote:
http://www.msterminalservices.org/articles/Customizing-Microsoft-RDP-Client-Part1.html

And you can always install RecordTS on the terminal server (another software we wrote, now under my new company, TSFactory.com) and record everything that happens at the RDP level (in case you want to record someone trying to hack your TS).

For printing, a couple things to keep in mind:
1. Try to get a printer that is supported by native, out-of-the-box Windows Server 2003 drivers (meaning the drivers shipped with the OS, not requiring anything to be installed). These will work for sure.
2. Avoid host based printers (the ones that use the PC to do all the work normally done by the printer hardware).
3. Avoid as much as you can loading ANY printer driver on the TS UNLESS you have no other option.
4. Consider a product like UniPrint, SimplifyPrint or ThinPrint. They sure cost money BUT will save you a LOT of headaches with printing on TS.

And to wrap this up, TS is pretty good with bandwidth utilization BUT make sure your links are not heavily used for things like web browsing, email etc otherwise RDP will have to compete with everything else and performance will suffer.

Cheers,

Claudio Rodrigues
Microsoft MVP
Windows Server - Terminal Services

0
 

Author Closing Comment

by:dandacci
ID: 31410733
Thank you Claudio (tsmvp).  Your answer was clear and very helpful.  The printing might get tedious.  I will follow up on your suggestions.  Thank you again!!!
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Have you considered what group policies are backwards and forwards compatible? Windows Active Directory servers and clients use group policy templates to deploy sets of policies within your domain. But, there is a catch to deploying policies. The…
Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question